Vulnerabilities ›

CVE-2026-25099

High

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

CWE-434 — Weakness Type

                    Published: Mar 27, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

Bludit CMS versions prior to 3.18.4 contain a critical file upload vulnerability in the API plugin that allows authenticated attackers with valid API tokens to upload and execute arbitrary files, resulting in Remote Code Execution. This vulnerability poses significant risk to organizations using Bludit for content management, particularly those with exposed API endpoints. Immediate patching or implementation of compensating controls is essential to prevent unauthorized code execution.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 20:51

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Bludit CMS for website and content management—particularly government agencies, educational institutions, and media organizations—face significant RCE risk. The vulnerability is especially critical for entities under NCA and SAMA oversight that host sensitive content or integrate Bludit with financial/administrative systems. Telecom and energy sector websites using Bludit could be compromised to serve as attack vectors. The authenticated nature of the attack means compromised API tokens (through phishing, insider threats, or previous breaches) could lead to complete system compromise.

🏢 Affected Saudi Sectors

Government Education Media and Publishing Telecommunications Energy Healthcare Financial Services

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1199 - Trusted Relationship T1566 - Phishing (for API token compromise) T1608.003 - Stage Capabilities: Upload Malware T1059 - Command and Scripting Interpreter T1047 - Windows Management Instrumentation

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Upgrade Bludit to version 3.18.4 or later immediately

2. Audit all API tokens and revoke any unused or suspicious tokens

3. Review API access logs for unauthorized file upload attempts

4. Scan web root and uploads directory for suspicious files (PHP, JSP, ASP, executable files)



COMPENSATING CONTROLS (if upgrade delayed):

1. Restrict API endpoint access via firewall/WAF to trusted IP ranges only

2. Implement strict file type validation at web server level (disable execution in upload directories via .htaccess or nginx config)

3. Disable the API plugin entirely if not in active use

4. Implement rate limiting on API endpoints

5. Monitor file uploads in real-time for suspicious extensions



DETECTION RULES:

1. Alert on API POST requests to /api/*/upload endpoints

2. Monitor for file uploads with executable extensions (.php, .phtml, .php3, .php4, .php5, .phar, .jsp, .jspx, .jsw, .jsv, .jspf, .aspx, .asp, .cgi, .exe, .sh)

3. Track failed authentication attempts followed by successful API calls

4. Monitor for newly created files in upload directories with modification times matching API requests

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. ترقية Bludit إلى الإصدار 3.18.4 أو أحدث فوراً

2. تدقيق جميع رموز API وإلغاء أي رموز غير مستخدمة أو مريبة

3. مراجعة سجلات وصول API للبحث عن محاولات تحميل ملفات غير مصرح بها

4. فحص جذر الويب ومجلد التحميلات بحثاً عن ملفات مريبة



الضوابط البديلة (إذا تأخر التحديث):

1. تقييد وصول نقطة نهاية API عبر جدار الحماية/WAF إلى نطاقات IP موثوقة فقط

2. تطبيق التحقق الصارم من نوع الملف على مستوى خادم الويب

3. تعطيل مكون API بالكامل إذا لم يكن قيد الاستخدام النشط

4. تطبيق تحديد معدل على نقاط نهاية API

5. مراقبة تحميلات الملفات في الوقت الفعلي للملفات المريبة



قواعد الكشف:

1. تنبيهات على طلبات API POST إلى نقاط نهاية التحميل

2. مراقبة تحميلات الملفات بامتدادات قابلة للتنفيذ

3. تتبع محاولات المصادقة الفاشلة متبوعة بنداءات API الناجحة

4. مراقبة الملفات المنشأة حديثاً في مجلدات التحميل

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.2.1 - Change management procedures A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

ID.BE-5 - Organizational resilience PR.DS-6 - Data is protected from unauthorized access PR.IP-1 - System development and acquisition DE.CM-8 - Vulnerability scans are performed

🟡 ISO 27001:2022

A.12.2.1 - Change management A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities A.12.3.1 - Segregation of development, test and production environments

🟣 PCI DSS v4.0

6.2 - Ensure security patches are installed 6.5.8 - Improper access control 11.2 - Vulnerability scanning

🔗 References & Sources 2

🔗

https://cert.pl/posts/2026/03/CVE-2026-25099

cvd@cert.pl

Third Party Advisory

🔗

https://github.com/bludit/bludit/releases/tag/3.18.4

cvd@cert.pl

Release Notes

📦 Affected Products / CPE 1 entries

bludit:bludit

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-434

EPSS0.26%

Exploit No

Patch ✗ No

Published 2026-03-27

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-434

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-25099

Introduce Yourself

Sign In Required